Posted
by
Unknown Lamer
on Wednesday October 12, 2011 @10:01AM
from the only-criminals-want-due-process dept.

GeorgeK writes "VeriSign, the monopoly registry operator for .com/.net domain names, has submitted a proposal to ICANN (PDF) describing an 'Anti-Abuse' policy. If allowed to proceed with such a policy, they would become judge, jury and executioner, with the ability to suspend or even cancel alleged 'abusive' domain names without due process for registrants. The proposal even recognizes that legitimate domain names may be taken down improperly, and offers a 'protest' procedure. However, VeriSign does not appear to offer any ability to protest an accusation of abuse before the suspension or cancellation. They intend to 'shoot first and ask questions later.'"

Mod +10 insightful. That's exactly what will come next, or some sort of Verisign Domain Deactivation Insurance Fee. Why, after all ill deeds of this company ICANN still allowed them within a thousand miles of being primary root/registrar for the two most important TLDs is beyond me. VeriSign has shown sufficient avarice, maliciousness and incompetence on a sufficient number of occasions that it just baffles my mind that they didn't have it yanked years ago.

I was the network guy for a small ISP when Verisign introduced Site Finder. Believe me, at that point my boss and I decided it couldn't be worse if Satan was running those TLDs, and we weren't quite sure if it wasn't Satan running them.

IIRC, ICANN/IANA tried to sue them out of business in the late 1990s when they partially screwed up DNS (replacing NXDOMAIN answers with their "domain finder" landing page). VeriSign won in the last second using legal tricks and soon made friends with similar minds in the US gov. Since then they grew rapidly and -which irony- went from rogue provider to "security provider" and even CA.
Wikipedia has some very insightful articled about the "domain finder" affair.

Lets not forget the Verisign complaints fee, register a complaint and pay a substantive deposit to have any name taken down for any reason, all liabilities are yours and Verisign keeps the deposit money. Why the rest of the world hasn't told ICANN to take a leap with Verisign, well, I guess it is only a matter of time.

We can find other companies that will do what VeriSign does without violating our First Amendment right to free speech.

That shouldn't be hard, seeing how VeriSign only operates a few database machines. That said, VeriSign doesn't violate the First Amendment, seeing how that only prevents the government from limiting your free speech; as it turns out, that's one Hell of a loophole.

VeriSign, when working in conjunction with the federal government, works as an agent of the government. Hence, denial of their domain would be a denial of their free speech rights which would be a violation of a person's first amendment rights. And it is a first amendment rights violation. Since VeriSign does not own the domain name system nor the certificate system they are working as part of a larger project funded and likely directed by the Federal Government and hence their actions are directly tied

Let's sort of clarify some of this for you guys. Verisign is like a sign company. It simply makes something that identifies you. It doesn't own what is created. For instance, your business name is used as a domain name. Just because VeriSign gives you the domain it doesn't mean that it owns that company name, even within the context of the domain.

If you allowed VeriSign that sort of control it would be like a sign company that made a sign for your business being able to shut down your business because

No it hasn't. You've just become more aware. You can trace deals like this at least as far back as the building of the railroads in the US. I believe that Britain has records of similar hijinks that go back to the middle ages. I'm sure other countries do too. They'd go back further, but corporations were invented during the middle ages. Before then, and even while they were developing, most of the slimy deals were made by individual wealthy people. Corporations didn't really become commonly dominant until after WWI, possibly as late as WWII. Before then the major problem was tycoons. And before them aristocrats.

None of them have ever been worth trusting as classes, though I'll admit that individual people were sometimes trustworthy. But that was unusual. Powerful organizations are not trustworthy. It's not money that corrupts, it's lack of consequences. You see it in corporations, you see it in politicians, you see it in police, you even see it in anonymous e-mail. It's pretty nearly universal. Some individual people avoid corruption. But it isn't what one should expect.

This is why control in civilization should be decentralized. So that people can't create for themselves "spheres of invulnerability". But this goes contrary to what everyone wants, because everyone wants a "safe space", where they can control what happens. This isn't a problem, unless that "safe space" infringes on other people.

P.S.: Anyone know a cell phone that has a white-list option? (I, too, want a safe space. A space where I can decide who is allowed to interrupt me.)

Every government employee or agent of the government that violates someone's constitutional rights (any and all rights) should be charged with a crime. It is that simple. The law covering that should not allow anyone to be shielded by the government nor pardoned by the government. We'd see far fewer issues where corporations collude with the government....

The protocol between DNS servers would have to be changed in a P2P DNS system.

The protocol between DNS Server and clients would not have to change at the onset. Only once Corps and Govs decide to go MAFIAA on the new DNS system will the Client/Server protocol need to go Encrypted/Obfuscated./RANTMy grand-children will not believe me when I'll tell them that DNS requests and answers used to be plain text and handled by a monopoly.

That's where Social engineering comes in.The same system that decides which DNSname belongs to which IP will have to Tamper/Troll proof.-What happens when a Name changes hands?-What happens when Judge decides to show the world he knows nothing about the DNS system to please the Rich/Gov?That's the the fun part.

DNS by it's nature requires some hierarchy. Either that or you end up with a system that's forced to use nonsense names like.onion sites and namecoin.

The current DNS is a hierarchy, but that doesn't mean that every hierarchy has to be implemented like the current DNS, that every Internet naming system has to be hierarchical, or that any alternate system would require nonsensical names.

You're right, I did some research and it seems to be a first-come-first-served system (which I acknowledged is another possibility [slashdot.org]), which is easier on the fingers and memory but is actually more chaotic than a system using nonsense names. Domain squatting would be a massive problem.

The root of each TLD is centralized. That's how we wind up with TFA's problem.

There's a group that has something working reminiscent of the way torrent magnet links work. I can't remember their name now.

You don't need everybody to switch - you just need to get resolvers to support the alternate lookup method and provide a better solution for enough users. If it works right, most people don't notice the alternate plumbing.

All true, and great for a time when John Postel was what it meant to run a registry. The RFC's didn't anticipate the kind of interference that NetSol is proposing.

There doesn't have to be namespace collisions, though. Why is it that Visa cards are all 4xxx, MasterCards are 5xxxx and Discover cards are all 6xxx? Couldn't Visa start issuing cards in the 5xxx range? Of course, but it's mutually beneficial for all of the players to interoperate. Nobody would trust a name service provider that was purposefully destructive (unless forced to through monopoly) so we would expect they'd operate in a trustworthy manner by default.

Also look at the world BGP routing table. It's all distributed, you have to earn trust to participate, and there are occasional mistakes. Even still, it lets me get these characters from here to wherever Slashdot's server are, and has proven effective, even if there's room for improvement. Imagine if everybody had to go register their routes through a single route registrar and make changes on their website.

People who are greedy, people who are power hungry, etc. are the same no matter where. They go to where the path of least resistance is. In some countries they are the inner party. In others they wear top hats and monocles. At times they lead the guilds/unions. Sometimes they co-opt the press. In some they have the top hats, inner parties, unions and press badges.

The Noble Peace Prize was created after Noble realized his peaceful and life saving invention of TNT had been co-opted for war. TNT is just

Many of these abusive domains are very fleeting and transient designed to live for just a few hours. If you want due process, it has to come before the registration. So domain name registration would then follow guidelines similar to Trade Mark and other corporation registration rules. It would slow down the registration process a lot and impact the fees Verisign is currently collecting. The domain name abuse is getting to be very bad, and it could trigger legislation. Legislation by the congress critters who imagine internet to be a series of tubes would put onerous burdens in the registrants and the registrars. So it is heading it off at the pass.

Well then, a reasonable compromise to limit the potential for collateral damage might be a rule that makes it impossible for them to suspend a domain that's been registered in good standing for more than a year without full due process, and provides a way to register a domain quickly, but subsequently complete a more exhaustive registration process that -- when completed -- immediately grants the domain the same protected status as one that's been around for more than a year.

That way, they can still nuke botnet command & control domains, but somebody whose domain has been around for more than a year (OR who has completed the more time-consuming registration procedure) could sleep at night knowing that Metaphorical Judge Dredd isn't allowed to touch THEIR domain. It wouldn't completely eliminate collateral damage, but it would eliminate the overwhelming majority of situations where a legitimate domain owner could suffer financial damage due to a careless or hasty employee somewhere.

That way, they can still nuke botnet command & control domains, but somebody whose domain has been around for more than a year (OR who has completed the more time-consuming registration procedure) could sleep at night knowing that Metaphorical Judge Dredd isn't allowed to touch THEIR domain.

Yea, and so can the spammers who have been planning for this to go into effect and have had thousands of names registered for over a year now through various individual names and companies.

They can use one a day and even if it gets cut off within a few minutes of the spam starting, they'll still be making a fortune off of them.

Spammers are more than willing to play be any technical rules you want to throw at them. More spammers use SPF and Domain Keys to prevent getting marked as spam then normal mail serv

Are you suggesting that a kangaroo court where one of the parties gets to hire the judge, there is no jury, no record of the proceedings, and no requirement that the decision be made in line with settled law isn't Fair, Just, and Efficient?

A DDoS or a petty "doxing" would be boring; but my schadenfreude lobe would be pulsating with happiness if their private signing key(s) were to make their merry way into the world.... Can you imagine the mayhem?

No, it shows that you have a really childish view of the world and you need to grow up.

I effect Verizon EVERY FUCKING DAY by not paying them a god damn dime. There are legitimate ways to deal with businesses, and there are childish, obnoxious and criminal ways to deal with someone. I choose the former, and you're too ignorant to know the difference between it and the latter. The thing is, Verizon ISN'T THAT BAD, because people still give them business BY CHOICE.

I should add, that 'unauthorized' means any sort of access you aren't allowed to do, regardless to how you do it. Doesn't matter if I say 'The password to my account is fifty7', unless you are specifically authorized to use it, its still illegal for you to do so, just like its illegal for you to enter my home even if you found a key without my authorization.

This is helpful for potential malware/virus/etc sites - take it down NOW and address afterwards. As long as the ones taking the deactivation move witness it themselves, it's doable.

The problem comes with reports. Let's say you get 100 reports of a domain being a nasty one in a 5-minute period of time. You just *wham-bam* take that domain down without looking at it and you could have just been the worst link in a staged act chain.

I'm not trying to be an ass, but I'm posting what I witness daily: Everyone wants to save money, including big companies. If VeriSign were to have this ability (along with other TLD registrars), then they will likely want to automate everything they can. See paragraph 2 above.

See. If you 'let it be' and everything becomes private, you end up in that situation - private parties, on which you have no rights over, decide how you live your life. what you hear, what you can know.

and the interests behind this will be as stupid as to not pursue any further avenue to censor is it. are you forgetting that icann is a private american corporation, and currently holds domain name system ?

Thanks for accepting the article. ICANN is still reviewing the proposal. If folks share my concerns, please do send them your comments by emailing registryservice@icann.org (from the top of ICANN's Registry Services Evaluation Process page [icann.org]). You can view comments by others here [icann.org]. EasyDNS has submitted their concerns too.

At a minimum, they should open up a formal 30 day public comment period that is widely advertised, in order that domain name registrants can be heard.

... in countries where the government-licensed utilities already have this power.

If TLD management were split among countries, so that Verisign handled.com and.net for US-based companies and foreign subsidiaries or foreign registrars handled it in foreign countries, then this kind of power might make sense for some foreign subsidiaries of Verisign or for some foreign registrars.

As for companies based the United States who use a domain registrar in the United States, yanking a domain name without a court o

Just say no to idiocy.
I hope their "proposal" is rejected as the bad idea that it is. Mind you, it just encourages me and everyone else to dump this monopoly in favour of other ones that are less obnoxious. I.e. other domain registries e.g. country codes or.org or whatever.

Unnh...ICANN is authorized by act of congress. They have a contract with Verisign. So this is a legally authorized monopoly.

You can only "dump it" by refusing to use the *.com and *.org domains. (I *think* org is the second one.) So the question would then be "Who do you want to register your domain with?". Fortunately there are more answers this year than there were a few years ago, and fewer people are even aware what the domain is...but I'm always a bit hesitant when the link is to a domain that I d

I propose that they should not only implement this idea, but to track down the offenders and subject them to a gratuitous full body cavity search. You should be glad they won't need or require your consent, as this will be for your own good.

If you sum the number of days in each step of the Uniform domain name dispute resolution policy you quickly see that it can take tens of days to get a malicious domain shutdown.
ICANN has long been in need of the ability to quickly react to burgeoning threats and though the ambiguity of the policy as described is concerning it's not without merits.

Q: Were consultations with end users appropriate? Which groups were consulted? What were the nature and
content of these consultations?
A: As a registry operator, Verisign did not consult with the registrants of.com/.net/.name domain names.

Verisign is trying to expand their central but minor role as a registry operator into control of the whole system. Their agreement with ICANN expires on November 30, 2012, and, ICANN could choose to get another registry operator. Right now, no proprietary technology or big staff is needed to be the registry operator. This added complication would make it tougher for ICANN to switch registry operators.

The whole certificate process is flawed, instead we should just have a way of proving that the authoritative dns servers of a domain agree a web site is the legitimate one. This can be done with public keys and crypto fingerprints. No need to pay the kind of scum that runs Verisign (the company that broke the internet one day with their money grubbing schemes) any money.

If ICANN wouldn't tear those TLDs out of Verisign's hands despite the fact that they basically broke DNS (and a bunch of other things, most infamously a lot of SMTP anti-spam measures) with their "Site Finder" service, I doubt very much that there's anything Verisign could do right now that would compel ICANN to go after them again.

They cannot be shut down, nor stopped. That is a wonderful thing - as long as a government has the ability to do something, it will find a way to use it to the detriment of its people. The best way to fight that is to remove the weapon from their insane fingers...